Release 2.8.3 (#145)

* doc: Cleaned up OAG documentation in deployment guide * bug: Fixed with debug statements for certificates appearing without debugging enabled * Dict cis_monitoring_checks updated. * Added repos for network & database admins * feat:Reduced adb function lines * feat:Reduced adb function lines * feat: Added debugging to __ons_read_subscriptions * fix: Add additional policy to allow auditor group to review CIS and OBP * fix: Added read for serviceconnectors to support OBP checks * doc: Updated with the new Auditor Policy to support CIS and OBP checks * feat: Added error logging for Tag defaults and ADB * fix: Removed debug statement and reenabled pagination * doc: Updated Release Version and Tested SDK * doc: Added date place holder * doc: Added Cloud Guard Detector and Security Zone Rule Mapping * doc: Updated release notes for release 2.8.3 * Revert "doc: Added Cloud Guard Detector and Security Zone Rule Mapping" This reverts commit ee5e951. * doc: Added Cloud Guard Detector and Security Zones Rule mapping * doc: Updated release date --------- Co-authored-by: Andre Correa <[email protected]> Co-authored-by: Olaf Heimburger <[email protected]> Co-authored-by: KC Flynn <[email protected]> Co-authored-by: Samratha S P <[email protected]>
oci-landing-zones · Jun 10, 2024 · 450275c · 450275c
1 parent 36bd093
commit 450275c
Show file tree

Hide file tree

Showing 6 changed files with 979 additions and 1,175 deletions.
diff --git a/DEPLOYMENT-GUIDE.md b/DEPLOYMENT-GUIDE.md
@@ -472,7 +472,6 @@ After the OAG instance is provisioned follow steps from the [Integrate with Orac
 1. As a user in the <label>-cred-admin-group or the Administrator group go to the **Generate API Keys and Oracle Cloud Identifier (OCID) to configure your Cloud Environment in the Oracle Access Governance Console** section and complete all steps in this section.
 
 1. As a user in the <label>-security-admin-group go to the **Establish Connection by Adding a New Connected System - OCI IAM** and complete all steps in this section.
-1. A user in the securi
 
 ## 4.4 Security Services
 

diff --git a/cis-architecture-mapping.md b/cis-architecture-mapping.md
diff --git a/compliance-script.md b/compliance-script.md
@@ -23,14 +23,27 @@ The **Auditors Group** that is created as part of the CIS Landing Zone Terraform
 **Access to audit retention requires the user to be part of the Administrator group* - the only recommendation affected is CIS recommendation 3.1.
 
 ```
-Allow group Auditor-Group to inspect all-resources in tenancy
-Allow group Auditor-Group to read buckets in tenancy
-Allow group Auditor-Group to read file-family in tenancy
-Allow group Auditor-Group to read network-security-groups in tenancy
-Allow group Auditor-Group to read users in tenancy
-Allow group Auditor-Group to use cloud-shell in tenancy
-Allow group Auditor-Group to read dynamic-groups in tenancy
-Allow group Auditor-Group to read tag-defaults in tenancy
+allow group Auditor-Group to inspect all-resources in tenancy
+allow group Auditor-Group to read instances in tenancy
+allow group Auditor-Group to read load-balancers in tenancy
+allow group Auditor-Group to read buckets in tenancy
+allow group Auditor-Group to read nat-gateways in tenancy
+allow group Auditor-Group to read public-ips in tenancy
+allow group Auditor-Group to read file-family in tenancy
+allow group Auditor-Group to read instance-configurations in tenancy
+allow group Auditor-Group to read network-security-groups in tenancy
+allow group Auditor-Group to read resource-availability in tenancy
+allow group Auditor-Group to read audit-events in tenancy
+allow group Auditor-Group to read users in tenancy	
+allow group Auditor-Group to use cloud-shell in tenancy
+allow group Auditor-Group to read vss-family in tenancy
+allow group Auditor-Group to read usage-budgets in tenancy
+allow group Auditor-Group to read usage-reports in tenancy
+allow group Auditor-Group to read data-safe-family in tenancy
+allow group Auditor-Group to read vaults in tenancy
+allow group Auditor-Group to read keys in tenancy
+allow group Auditor-Group to read tag-namespaces in tenancy
+allow group Auditor-Group to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}
 ```
 
 ### Setup the script to run on a local machine

diff --git a/config/iam_policies.tf b/config/iam_policies.tf
@@ -175,7 +175,8 @@ locals {
     "allow group ${join(",", local.network_admin_group_name)} to read instance-agent-plugins in compartment ${local.network_compartment_name}",
     "allow group ${join(",", local.network_admin_group_name)} to manage keys in compartment ${local.network_compartment_name}",
     "allow group ${join(",", local.network_admin_group_name)} to use key-delegate in compartment ${local.network_compartment_name}",
-  "allow group ${join(",", local.network_admin_group_name)} to manage secret-family in compartment ${local.network_compartment_name}"]
+    "allow group ${join(",", local.network_admin_group_name)} to manage secret-family in compartment ${local.network_compartment_name}",
+    "allow group ${join(",", local.network_admin_group_name)} to manage repos in compartment ${local.network_compartment_name}"]
 
   ## Network admin grants on Security compartment
   network_admin_grants_on_security_cmp = [
@@ -214,7 +215,8 @@ locals {
     "allow group ${join(",", local.database_admin_group_name)} to use vnics in compartment ${local.database_compartment_name}",
     "allow group ${join(",", local.database_admin_group_name)} to manage keys in compartment ${local.database_compartment_name}",
     "allow group ${join(",", local.database_admin_group_name)} to use key-delegate in compartment ${local.database_compartment_name}",
-  "allow group ${join(",", local.database_admin_group_name)} to manage secret-family in compartment ${local.database_compartment_name}"]
+    "allow group ${join(",", local.database_admin_group_name)} to manage secret-family in compartment ${local.database_compartment_name}",
+  "allow group ${join(",", local.database_admin_group_name)} to manage repos in compartment ${local.database_compartment_name}"]
 
   ## Database admin grants on Network compartment
   database_admin_grants_on_network_cmp = [
@@ -552,7 +554,12 @@ locals {
         "allow group ${join(",", local.auditor_group_name)} to read vss-family in tenancy",
         "allow group ${join(",", local.auditor_group_name)} to read usage-budgets in tenancy",
         "allow group ${join(",", local.auditor_group_name)} to read usage-reports in tenancy",
-        "allow group ${join(",", local.auditor_group_name)} to read data-safe-family in tenancy"
+        "allow group ${join(",", local.auditor_group_name)} to read data-safe-family in tenancy",
+        "allow group ${join(",", local.auditor_group_name)} to read vaults in tenancy",
+        "allow group ${join(",", local.auditor_group_name)} to read keys in tenancy",
+        "allow group ${join(",", local.auditor_group_name)} to read tag-namespaces in tenancy",
+        "allow group ${join(",", local.auditor_group_name)} to read serviceconnectors in tenancy",
+        "allow group ${join(",", local.auditor_group_name)} to use ons-family in tenancy where any {request.operation!=/Create*/, request.operation!=/Update*/, request.operation!=/Delete*/, request.operation!=/Change*/}"
       ]
     },
     (local.announcement_reader_policy_name) = {